Abstract: Techniques described herein provide procedures for reducing MACsec Key Agreement (MKA)-related traffic and improving resource allocation for MKA protocol through an EVPN environment. Techniques include leveraging Border Gateway Protocol (BGP) signaling for MKA between Provider Edge (PE) routers instead of between Customer Edge (CE) routers, which mitigates both hardware restrictions and scalability challenges with a new Xaas enablement. A new BGP-EVPN route type is defined that can communicate a set of MKA information along with an address destination associated with a provider edge device to establish a BGP MKA session and enable MACsec encryption/decryption at the provider edge device.

Abstract: A method includes receiving, by a processing device, a dynamic configuration file. The processing device loads the dynamic configuration file in memory. The method further includes receiving, by the processing device from a first input component, a first request for a configuration resource. The first request includes first environment data associated with the first input component. The method further includes identifying, by the processing device based on the configuration resource of the first request, a dynamic variable in the dynamic configuration file. The dynamic variable includes one or more algorithmically-defined rules. The method further includes executing, by the processing device, at least one of the one or more algorithmically-defined rules of the dynamic variable to determine, based on the first environment data, a first configuration response to the first request. The method further includes providing, by the processing device, the first configuration response to the first input component.

Abstract: Methods, systems, and apparatuses are described herein for protecting sensitive data even when Transport Layer Security (TLS) communication sessions are compromised. A computing device may send, via a web browser plugin of a web browser application executing on the computing device and to one or more remote servers, a request for a server secret that comprises a device fingerprint, an identification of the web browser application, and an identification of the web browser plugin. The computing device may receive the server secret and a public certificate associated with the remote server. The computing device may establish, via the web browser application, a TLS session with the one or more remote servers. The computing device may generate a session key. The computing device may receive data comprising unencrypted data and encrypted data. The computing device may decrypt the encrypted data based on the session key.

Abstract: Methods and systems are described herein for leveraging artificial intelligence to sanitize sensitive data and prevent the data from leaving the mobile device and/or be exposed to unauthorized third parties. More specifically, methods and systems are described for a novel and unconventional architecture for a data sanitization application, a novel and unconventional delivery format for the data sanitization model, and a novel and unconventional output format of the data sanitization model.

Abstract: Authentication request notifications are selectively suppressed, reducing notification fatigue and susceptibility to social engineering attacks. Authentication request notifications may be suppressed by not presenting a push notification on the user's phone. The authentication request may still be accessed and approved by manually opening the authenticator app. Notifications may be suppressed based on an estimation that the person attempting to login is not who they say they are. This estimation may be based on applying heuristics and/or machine learning models to the context of the login attempt, such as the IP address that originated the login request, time of day, recent user actions, patterns of previous logins, etc. One heuristic determines that the user has repeatedly ignored notifications caused by a particular IP address. Machine learning models generate a risk score from the login context, and notifications may be suppressed if the risk score exceeds a threshold.

Abstract: Methods, systems, and computer program products for automated document generation within a collaboration system. Multiple components are operatively interconnected to carry out automated document generation operations. Collaboration activity limitations are enforced over newly-generated documents. The document generation process produces newly-generated documents and other outputs that are stored in the collaboration system. Operational elements of the collaboration system are able to access the generated document and other document generation system outputs to perform content analysis. Based at least in part on results of the content analysis, characteristics of the generated document and characteristics of the corresponding document system I/O, the collaboration system assigns and/or modifies access parameters of the newly-generated document and its metadata. The access parameters control ongoing enforcement of document handling policies.

Abstract: A fraud prevention system that includes a client server and a fraud prevention server. The fraud prevention server includes an electronic processor and a memory. The memory including a trust scoring service. When executing the trust scoring service, the electronic processor is configured to receive a trust score request of a device from the client server, generate, with a trust model, a trust score of the device, and responsive to generating the trust score, output the trust score to the client server in satisfaction of the trust score request, wherein the trust score is distinct from a risk factor, the trust score representing a predicted trust level of the device, and the risk factor representing a fraud risk level associated with the device based on one or more device behaviors.

Abstract: A method for detecting a cyberattack on a network being monitored includes providing a labeled packet capture data training set. Metrics are identified that are indicative of either cyberattack data or normal data. Statistical measures are computed based on the identified metrics. A determination is made if linearization in necessary based on the statistical measures. If necessary the identified metrics are linearized. A machine learning network is then trained on the linearized training data to classify packet capture data as either cyberattack data or normal data. Real packet capture data is intercepted from the network being monitored, and real metrics from the intercepted data is linearized. The trained machine learning network is utilized to identify normal data and cyberattack data from the real data. A user is alerted if the trained machine learning network identifies cyberattack data in the linearized real data.

Abstract: In one embodiment, a secure distributed processing system includes nodes connected over a network, and configured to process tasks, each respective one of the nodes including a respective processor to process data of respective ones of the tasks, and a respective network interface controller to connect to other nodes over the network, store task master keys for use in computing communication keys for securing data transfer over the network for respective ones of the tasks, compute respective task and node-pair specific communication keys for securing communication with respective ones of the nodes over the network for respective ones of the tasks responsively to respective ones of the task master keys and node-specific data of respective node pairs, and securely communicate the processed data of the respective ones of the tasks with the respective ones of the nodes over the network responsively to the respective task and node-pair specific communication keys.

Abstract: The advent of end-to-end encryption systems has put an end to the use of “caching” methods which consisted of replicating and storing data flows relating to content items in a “cache” which is located on board one or more intermediate devices. However, the disappearance of these “caching” solutions affects the management of the resources of different communication devices, particularly by bringing about an increase in the number of connections between communication devices that is necessary for delivering content items to the user terminals. Unlike known “caching” techniques in which the content itself is stored in at least one cache memory of a cache server, the method relies on storing in a cache server all of the messages exchanged between the original server hosting the content and the cache server, leading to the delivery of the content to the cache server.

Abstract: The present disclosure provides methods and apparatuses for improving user security of satellite-ground integrated network systems. On the basis of the satellite-ground integrated network pipeline only authenticates a terminal in a satellite-ground integrated network, a two-stage authentication based on CA digital certificates and user characteristic information is put forward for users and services using the terminal.

Abstract: Systems and methods for access key abuse detection, the systems and methods including steps of receiving activity data relating to an access key from cloud providers associated with a cloud-based system, generating a baseline for the access key based on the activity data, monitoring activities associated with the access key in the cloud-based system, and calculating a score for monitored activities based on a comparison of the monitored activities to the baseline. The present scoring system helps identify an abnormal and risky activity that indicates an attacker is abusing the access key. In addition, a baseline is created for a plurality of selected attributes that present the normal access key usage in order to identify malicious abnormal activities.

Abstract: Systems and methods automate access and permissions to sensitive data or privileged data, by various users or entities, such as those associated with an enterprise, across multiple platforms.

Abstract: A cloud-based platform for zero trust network access (ZTNA) services provides zero trust network access as a service for multiple customers in a multi-tenant architecture. In this context, the configuration for a new ZTNA application is validated with a service proxy in a sandbox or similar environment before release by the cloud-based platform for access through a public network. As a significant advantage, this approach mitigates inadvertent conflicts or instability in a service proxy that supports other applications and customers.

Abstract: A secure web gateway is deployed on the cloud between a web client and a web server. The secure web gateway sends the web client a redirect response status code with a replacement server location in response to a Hypertext Transfer Protocol (HTTP) request sent by the web client to access a target resource on the web server. The secure web gateway thereafter receives from the web client a Hypertext Transfer Protocol Secure (HTTPS) request to access the target resource, the HTTPS request includes the replacement server location. The secure web gateway sends the HTTPS request as an HTTP request to the web server. The secure web gateway receives an HTTP response from the web server, and forwards the HTTP response as an HTTPS response to the web client.

Abstract: Some embodiments provide a two-tier DNS (Domain Name System) service for processing DNS requests. In some embodiments, the two-tier DNS service deploys first and second tiers of service machines, with the second-tier having several groups of service machines each of which is configured to resolve DNS requests for a different set of domain names than the other second-tier group(s). Each service machine in the first-tier is configured to identify the second-tier group responsible for each particular DNS request that the service machine receives for each particular domain name, and to forward the particular DNS request to the second-tier group that it identifies for the particular DNS request. The first-tier DNS service in some embodiments has only one group of service machines. Each first or second service machine group in some embodiments can have one or more service machines, and can be scaled up or down to add or remove service machines to the group (e.g., through an active/active layer 3 scaleout with BGP).

Abstract: Provided is an information processing device that prevents fraudulent updating of registered facial images. The information processing device comprises a database and an updating unit. The database stores a first facial image of a user. In accordance with at least the similarity between the first facial image and a second facial image, the updating unit determines whether to update the first facial image using the second facial image.

Abstract: This disclosure relates to method and apparatus for obtaining data information.

Abstract: Methods, systems and computer storage media are disclosed for providing resources to a platform issue. Embodiments describe associating educational resources and an event resource to resolve the platform issue.

Abstract: An illustrative embodiment disclosed herein is an apparatus including a processor and a memory. In some embodiments, the memory includes programmed instructions that, when executed by the processor, cause the apparatus to apply a category to a first virtual machine (VM) and a second VM, schedule the first VM and the second VM to be placed on a host at least based on the first VM and the second VM including the category, and apply a security policy to the first VM and the second VM at least based on the first VM and the second VM including the category.